Loading...
Loading...
When AI goes off the rails, we document it.
A community-driven platform for reporting and tracking weird, dangerous, and hilarious LLM behavior. Verified. Categorized. Searchable.
lol
Ragdoll Man
Google spent over a decade telling developers that API keys (used for Maps, Firebase, etc.) are not secrets and safe to embed in public website code. When the Gemini API was enabled on Google Cloud projects, those same public keys silently gained access to sensitive Gemini endpoints — no warning, no confirmation, no email. Truffle Security scanned millions of websites and found 2,863 live Google API keys, originally deployed for public services, that now authenticate to Gemini. With a valid key, an attacker can access uploaded files, cached data, and charge LLM usage to the account. Even Google's own public API keys were vulnerable, granting access to Google's internal Gemini. Google initially classified this as intended behavior before reversing course.
Paste a share link from ChatGPT, Claude, or Gemini. We verify it's real.
Tag it as Skynet, Harmful, Unhinged, or one of our other categories.
See which models are misbehaving and how AI safety evolves over time.
Help us build the largest database of AI failures. Your report could help make AI safer.
Submit a Report